Google makes good on promise to remove some Symantec PKI certificates

I was updating some online passwords this week when I ran across the following digital certificate error when trying to access my cable provider’s website, brighthouse.com, using Google Chrome:

Google

Over the last few years digital certificate errors have gotten less common. This one intrigued me for a bunch of reasons, not the least of which was that the certificate involved in the error was being used by a fairly big company and not some mom-and-pop shop that might not know their computer security from a hole in the ground.

I immediately clicked on the “Not secure” label preceding the offending URL to examine the digital certificate in more detail to see if I could figure where the error was. I’ve been doing public key infrastructure (PKI) and digital certificates for over 20 years. I like to figure out the errors myself, to see who made what goof.

Google’s own research has shown that the more a person knows about PKI and digital certificates, the more likely they are to ignore digital certificate errors and proceed to websites with digital certificate errors (which could be a bad move). For a few years this led to Google and Microsoft both providing less digital certificate information when a digital certificate error was encountered. Luckily, both companies seem to have reversed course and will let us digital certificate nerds do more detailed inspection when we feel motivated to do so.

So, I opened up and examined the offending digital certificate. Here’s some of what I saw:

Google

In a nutshell, I could find no errors or mistakes — at least none readily identifiable. It was using SHA256 (not SHA1). It had a 2048-bit RSA key (not 1024-bits). The subject, *.brighthouse.com, was correct for the website page I was viewing, and also re-entered under the subject alternative name (SAN) field. Most of the certificate errors I see are made in the subject or SAN fields, as they are linked to the URL domain name, but I couldn’t find any easy-to-identify errors. It perplexed me.

So, I quickly opened it up in Microsoft Edge, and the website and certificate displayed without error. In Edge, I opened the digital certificate, examined the serial number and thumbprint values, and compared them to the digital certificate in Google Chrome. They matched. Same certificate, but for some reason Chrome wasn’t liking it. I closed Edge and swapped back to Chrome.

Then I did what I should have done in the first place. I slowed down and read the actual error message that Chrome displayed:

Google

There, I saw the only clue I needed. The error message said NET:: ERR_CERT_SYMANTEC_LEGACY. That’s right. Last year Google went to war with Symantec over a bunch of purported issues, including the fact that Symantec, through one or more of its PKI businesses (VeriSign, Thawte, GeoTrust, RapidSSL, etc.) issued certificates containing Google domain names to entities not belonging to Google.

This was a pretty big deal in the computer security world last year. I expected the phrase, “Them’s fighting words,” to be said before revolvers were pulled. Ultimately, Google decided that they could no longer trust Symantec or any digital certificate Symantec issues, and they were going to, among many other actions, invalidate all Symantec-issued certificates very soon. This panicked much of the world because tens of millions, if not hundreds of millions, of public certs issued under the Symantec PKI arms would be involved. Google’s move could cause millions of otherwise trusted and beloved websites to start erroring out.

Google, after consulting with much of the industry, including the respected CA/Browser Forum public PKI standards group, decided to delay and phase in the invalidations over more time.

Well, that time is here.

Google has explained some of the timeline and how the impact was phased in over varying Chrome versions. Turns out not all the big companies who should have gotten their certificates updated before now have done so. Well, all the complaining customers and executives will probably get that rectified in short order.

Although I and many others think this part of Google’s solution was ham-fisted, I respect Google’s right to determine the safety of its own products and in erring on the side of safety. I do wish the error message was a bit more informative. It would have been great if the messaging was a little less “hackers are attacking you” and more of “The company you are connecting to is using an invalid digital certificate, click here for more details.” Not sure why warning messages provide so little useful information to the casual viewer. Perhaps that’s why my initial reaction was to gloss over the warning message and to start looking for the details on my own.

All of this is to say, if you use Google Chrome, expect a rise in digital certificate errors. If you see the Symantec_Legacy part of the warning message, you’ll know what it’s about.